Thales Alenia Space
close search bar

Sorry, not available in this language yet

close language selection

Ensuring Software Reliability and Security from Design Through Development

The challenge: Addressing code quality and security

Governments and companies alike rely on Thales Alenia Space, Europe’s largest satellite manufacturer, for satellite-based systems that are used for navigation, Earth observation, space exploration, and to help connect everyone everywhere.

“Thales has a corporate mandate that cybersecurity risk will be addressed at every level of application creation,” said Nicolas Leclercq, product security officer for software engineering at Thales Alenia Space. “Our focus is on ensuring that the code we develop in-house does not include defects that may be lead to vulnerability and exploit by attackers. We base our coding rules on SEI CERT, an internationally recognized coding standard to improve the reliability and security of software from design through development.”

“As product security officer, my role encompasses helping our groups set the level of cybersecurity they want and to promote the right security tools to introduce into our continuous integration pipeline,” Leclercq added. “We have a corporate group focused on identifying the best tools we can use to meet internal and industrial standards. That group recommended Synopsys as having the right set of tools to implement our security practices.”

The solution: Synopsys Coverity SAST and Black Duck SCA

“Synopsys Coverity® static analysis security testing (SAST) helps Thales Alenia Space ensure that the software we develop in-house does not include coding defects. We use Coverity to help maintain code quality and to comply with industrial standards such as MISRA and the HIS Metriken set.”

A fast, accurate, and highly scalable static analysis testing solution, Coverity helps Thales Alenia Space development and security teams address security and quality defects early in the software development life cycle (SDLC). It also helps development and security teams track and manage risks and ensure compliance with security and coding standards.

“Coverity is primarily used in our automatic continuous integration pipeline,” said Leclercq. “The pipeline is fully automated to help developers focus on essential tasks. Currently, we serve more than 200 projects and are testing several million lines of code. Any code commit automatically triggers a Coverity analysis.”

“[The flexibility of] Coverity server deployment and licensing allows us to deploy many instances matching the diversity of our environments. Whether a software factory or restricted/confidential environments, Coverity is available to all Thales Alenia Space France employees and projects,” Leclercq said.

Introduced in June 2021, Black Duck® software composition analysis (SCA) is still relatively new at Thales Alenia Space. “Black Duck’s signature scanner’s ability to detect open source components in multiple ways is a unique and useful feature,” said Leclercq. “As with our Coverity deployment, any introduction of a new artifact or when dependencies are modified will trigger a Black Duck scan. We’re currently supporting approximately 100 projects with Black Duck, and expect to reach the same number of projects as our Coverity deployment by the end of 2022.”

Whether a software factory or restricted/confidential environments, Coverity is available to all Thales Alenia Space France employees and projects."

Leclercq

|

The results: Code quality, security, and compliance

“Coverity is a very powerful static analysis tool that can detect issues in almost all kinds of software builds,” Leclercq noted. “For example, cross-compilation—that is, where the build and host machines are not of the same architecture—is used extensively for Thales Space onboard satellite systems. Coverity is very efficient at helping us analyze low-level code such as onboard C code used in flight satellite software.”

“Using Coverity has helped enhance our mandate to ensure code quality and security, as well as to enforce our compliance with SEI-CERT coding standards for C, C++, and Java, and MISRA standards for C. Most importantly, Coverity allows our developers to work on their essential tasks rather than having to allot time to identifying code defects.”

“Being able to detect and manage open source vulnerabilities early in the SDLC helps lower remediation costs,” Leclercq continued. “In addition to vulnerability management, we’ve also found Black Duck very useful in determining the viability of open source projects—that is, ‘is the project we’re using being maintained and updated?’—as well as keeping track of licenses for IP compliance.”

Black Duck SCA has also provided Thales Alenia Space with the means to create and maintain a software Bill of Materials (SBOM) of the open source being used in its code. Visibility into code is an important need—97% of the aerospace industry’s codebases were found to contain open source, according to the 2022 “Open Source Security and Risk Analysis” report.

“We’ve also been very appreciative of the support we’ve received from Synopsys,” said Leclercq. “The ongoing support for Coverity over the past few years has been really good. Whenever we’ve had a problem, the Coverity support team has had a solution.”

“Black Duck SCA is still relatively new to us, and we received a lot of help from the Black Duck support team to address some deployment issues we ran into. I’m happy to say Black Duck is now working like clockwork.”

“Using Coverity has helped enhance our mandate to ensure code quality and security as well as to enforce coding standards."

Leclercq

|

Being able to detect and manage open source vulnerabilities early in the SDLC helps lower remediation costs."

Leclercq

|

Thales Alenia Space Case Study | Synopsys

Company Overview

A business unit of the Thales Group, Thales Alenia Space delivers cost-effective solutions for telecommunications, navigation, Earth observation, environmental management, exploration, and science and orbital infrastructures. Thales Alenia Space has approximately 8,900 employees in 10 countries and posted consolidated revenues of approximately €2.15 billion in 2021.

More Resources